Insurance policies can be intimidating documents, sometimes running to over a hundred pages and dense with unfamiliar terms and jargon. Nevertheless, they mostly all follow certain principles and can be understood to a reasonable degree if you understand how they are constructed and how to read them.
We check all your policies for you, of course, but you should look at your own policies, too. The following won’t make you an expert, but it will serve as a quick primer on basic things you need to know to begin to make sense of the policies that you pay so much for.
Steps for reading an insurance policy:
Identify who is insured.
- Look at the schedule of forms and endorsements.
- Read the insuring agreement.
- Read the exclusions and limitations, and any exceptions to exclusions.
- Read the definitions.
- Finally, read any endorsements that modify the policy.
In detail: Determine who qualifies as an insured. The first named insured is the primary policyholder and has most rights under the policy, but additional named insureds, and additional insureds (these two are different), all have some coverage and some rights. If the person or entity suffering or causing the loss, injury or damage is not an insured, there is no reason to go any further; there is no coverage.
Compare the forms and endorsements listed on the declarations page with the forms and endorsements attached to the policy to make sure you have the complete policy. Insurance companies update their forms periodically, so also confirm that the edition dates listed match the forms attached.
Read the insuring agreement that describes what the policy covers. Start
here to see what coverage may exist for a loss. Policies generally fall into two types, those with broad insuring agreements (special form or all risk property policies, commercial general and auto liability policies) with broadly written coverage grants that are then pared back by exclusions, and named or specified peril policies which specifically lists the types of events or occurrences the policy covers. With these you’ll need to read the list of covered perils (that which causes a loss) first before then turning to the exclusions.
Next read the exclusions and limitations. These take away coverage granted by broad insuring agreements; there will usually be a lot of them. There may be fewer exclusions in named perils policies because if a loss is not caused by one of the named perils in the first place it is not covered. Also read any exceptions to the exclusions. Exceptions may give some coverage back in specific amounts or under described circumstances.
The insurance company wants to control the meaning of certain words and phrases and does so by specifically defining them in the policy. Read these next. These will often be printed in bold or italics in the policy, indicating you should refer to the definition found in the policy. Definitions can further define or limit the breadth of protection. Words not defined are given their common, everyday meaning.
Finally, read any endorsements that apply. Check these off on the schedule of forms as you go. Highlight the policy form that is changed by an endorsement and note which endorsement changes that section. Note exactly what the endorsement changes; they can add, broaden or enhance coverage, or create a limitation or exclusion.
In some package policies you may find several sections devoted to separate coverages such as property, crime, general liability and so forth; read each section as if it were a separate policy. You’ll also find some pages devoted to general policy terms and conditions, such as cancellation or nonrenewal provisions, duties in the event of a loss, and such, which apply to all sections of the policy.
Some tips: As you are doing all this reading, when the policy refers to another section read that section immediately. And pay attention to key words and phrases. These create, alter, modify or delete coverage and limits; a policy can be materially altered by a two or three letter word. Some to look for (not an all-inclusive list):
Pay attention to the conjunctions used. “And” is inclusive; “Or” is exclusive. In a list of three qualifiers, the use of “and” means that all three must be satisfied; “or” means that any one of the three applies.
- “Not” as in “does not apply to…” or “does not include….” This changes or limits whatever preceded it.
- “Greater than…,” “lesser than…,” “Greater of…,” “lesser of…,” “no more than,” “the most…,” “all” or any other quantifying phrase.
- “Unless,” “except,” “only if…” or “subject to…” These indicate a condition, added requirement or an alternative.
- “However” discounts everything before it. This qualifying term creates coverage or condition parameters.
- “Includes,” is an inclusive term that broadens the provision to which it applies.
- “Must” and “regardless.” There is no alternative and surrounding circumstances are of no consideration in meeting the requirement.
Remember that an insurance policy is a contract, between you and the insurance company. You would not sign a contract without reading it first; it behooves you to know what’s in your insurance contracts.
Breach Notification Basics
We wrote about cyber and privacy risk in the last issue, and mentioned that almost all states and various departments of the federal government had some form of law or regulation mandating how affected parties must be notified in the event of the loss of personally identifiable information. These legally required notification processes are littered with potential land mines, creating possibly severe consequences for any organization that handles them badly. These laws also continue to change literally every year as laws and regulations are revised and updated.
Continuing with this topic, whether you have insurance to cover privacy breach or not, here are some key points to keep in mind if you are faced with a breach.
Almost all jurisdictions mandate timely response, and in many there are specific timelines for notification. Don’t assume you have time for a leisurely and thoughtfully considered response; the clock starts ticking as soon as you become aware (or should have become aware) of a breach. You may also have contractual obligations to business partners (credit card processing companies, banks, etc.) mandating specific responses literally within hours.
Know who to notify
Affected parties, of course, but be aware that different demographics require different responses (minors and non English speakers, for example). You also need to know if, and which, governmental authorities and agencies and business partners require notification.
Know what to say
The contents of your notification letters will be dictated not only by specific regulatory requirements, but also by your own need to manage any public relations impact. You need to know what you are required to include (or leave out) of your notifications. Many states have been revising their laws to include very specific and detailed instructions on what must be included in notifications.
Know how to notify
Be prepared for the basic logistical requirements of notification. For example, you’ll need current addresses for everyone requiring notification. Are non-English speaking recipients included in that group? What will you do with returned mail? Your notification letter will include a contact number; are you prepared to handle the volume of calls anticipated, or will you need to employ an outsourced call center? These are all practical considerations you’ll need to deal with in an extremely short time frame.
Manage the damage
A privacy breach can potentially be a black eye for any organization, often attracting significant negative media attention. Responding off the cuff, with uncoordinated messages and a general impression of not being on top of the situation will only fuel leaks and rumors and make things worse, create frustration and anger among those affected, and increase legal liability risks, too. Have a plan, and one identified spokesperson armed with approved messages and information.
As we noted last issue, there is insurance available to cover the financial risks created by privacy breaches. These non standard policies have evolved and are now broader and of more value than in just the recent past. Many of the better ones include crisis response benefits that give policyholders instant access to professional resources to manage the fallout from these complicated and ever more frequent occurrences. These features by themselves are a good reason to consider buying this insurance; just having a phone number to call when you learn of a problem can be invaluable. If you have not looked into these policies recently, consider revisiting them now.
OSHA Action Spotlights Employer Risk
A ruling in favor of OSHA in an Illinois federal courtroom earlier this year highlights a potential problem for employers in every state.
Briefly, two employees of an Illinois employer were killed and third injured in an industrial accident. OSHA investigated, and concluded from initial findings the employees did not receive safety training and the employer did not provide safety equipment. To continue its investigation OSHA then subpoenaed the employer’s workers compensation insurance company for records and inspection documents in an effort to obtain more information. The employer objected but was overruled in court.
In fact, OSHA has always had the ability to subpoena such records. Communications between an insurance company and a policyholder are not confidential or protected information. The problem for employers is that they routinely allow insurance companies onto their premises for loss prevention services and safety inspections without ever considering that information in the resulting reports could be used against them in the future.
It’s a Catch-22. Loss prevention engineers and safety consultants are an important resource for any employer seeking to control and minimize work related injuries and claim costs. However, every time a safety consultant writes a report a document has been created; an inspection report that notes deficiencies can come back to hurt an employer in the future if not properly addressed.
Employers should certainly continue to rely on insurance company resources to control workers compensation costs, but you can’t just put any reports or communications received from engineers or insurance companies in a drawer and forget about them. If a report makes recommendations you must document your response. If you comply with a recommendation, it should be noted; if a recommendation is unrealistic or unworkable some form of compromise response should be discussed with the insurer, and documented. In every case you need to remember that any time you get a report from an insurance company, that report, and your responses, create a paper trail that could resurface in the future and potentially be used against you.
Here’s the rest of the story: after the subsequent investigation, and based in part on the information uncovered from the subpoenaed inspection records, OSHA issued 25 citations and fined the employer $555,000.
New Catastrophe Models
Catastrophe models have long guided insurers and reinsurers in the way they set capacity and pricing models for property insurance. The recently updated hurricane model from a major industry source features significant changes such as higher inland wind speeds, increases in building vulnerability, updates of secondary modifiers like roof type and construction, and increases in modeled storm surge losses. These all reflect new knowledge gained from real experience with recent storms and improvements in models accumulated over a number of years.
What does it mean to you? Insurance companies who might have been careful up to now to limit their exposure to catastrophe exposed coastal properties based on reliance on earlier models may now find their PML (Probable Maximum Loss) increased by as much as 150% to 200% based on these new models of inland exposures. That can translate into reduced willingness to retain risk, greater reliance on reinsurance, higher prices, and bigger deductibles.
Coastal risks are already seeing higher windstorm deductibles on properties even further inland from the coast than before. These deductibles are often somewhat disarmingly expressed as a per cent of TIV (Total Insured Value), often in the 1-2% range. Think about that a little more closely, though…a 40,000 square foot commercial building can easily have an insurable replacement value of $5 million; add another $5 million for contents, and $5 million for business income and extra expense, and a relatively modest building ends up with a TIV of $15 million. The owner of that building who accepted a deductible for wind or hail of one per cent of TIV now has a deductible for such losses of $150,000. That’s a pretty big deductible.
As the insurance market slowly stabilizes and starts to harden you will be likely to see this a lot more often in the future. We’ll be keeping an eye on this for you.